[Bug]:
BenHorneIL opened this issue · 0 comments
What happened?
We are migrating our access controls to AWS SSO. We have been using gimme-aws-creds to access the cluster and get credentials and that is working fine. When we run aws configure sso we are able to assume a role and see the resources in AWS. We have configured aws-iam-authenticator role mapping and identity Mappings in the cluster and we know they work with gimme-aws-creds.
With the switch to AWS SSO, aws-iam-authenticator does not show a way to use sso creds for authentication.
What you expected to happen?
aws-iam-authenticator should expose a way to use sso credentials that have been generated and not only use the .aws/credentials file as AWS SSO does not write those creds to that file.
Anything else we need to know?
This is a KOPS cluster that currently works when not using AWS SSO.
Our configmap as entries similar to:
- roleARN: arn:aws:sts:::assumed-role/assumed_role
username: admin:{{SessionName}}
groups:
- system:masters
Currently running 0.5.12 on the kops daemon sets as that is the latest version there.
Installation tooling
homebrew
AWS IAM Authenticator client version
0.6.11
Client information
- OS/arch: Mac/arm64 13.4.1
- kubernetes client & version: client: 1.27.2, server 1.26.7Kubernetes API Version
1.26.7
kubeconfig user
- name: user-sso
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- token
- -i
- cluster
command: aws-iam-authenticator
env: null
interactiveMode: IfAvailable
provideClusterInfo: false